The “omnibox” vulnerability makes it easier to phish or steal user’s data.

A vulnerability in how Chrome and Firefox render website addresses could allow an attacker to trick a user into visiting a spoof website that appears to be legitimate.

Rafay Baloch, a security researcher, won $5,000 in a combined bug bounty for finding the flaw.

In a blog post on Tuesday, he explained that the flaw could be used to trick users into supplying sensitive information to a malicious site, because the website appears to be legitimate in the browser’s address box.

This address bar spoofing flaw works because some languages that display right-to-left, such as Arabic, are rendered differently. He explained that if you take a neutral right-to-left character (such as a forward slash), it can be used to flip a web address to also display right-to-left.